CG - Why Am I Surrounded By Friggin' Idiots?!? (Because You Hired Them!) - Stephen Heath

[Music] no on top all right here we go this is stephen heath and this is why am i surrounded by bringing me Diaz already well as you said my name is Stephen Heath odd this talk is titled why must I be surrounded by friggin idiots and the answer that question is because you probably hired them if you're in a position like I am so to sort of start off I want to give you guys just a bit of background about me I work for a small consulting firm up in Spokane Washington network as a director security services master's degree in computer science too many certs and I know that doesn't really mean crap but you know they asked for an RFP so I got

to do them worked an IT for over 10 years I run team is called security consultants analysts two-year-old son you see in the picture seattle sports fanatic as you can see from what I'm wearing and I'm serious nerd in that picture should pretty much proved that the reason I'm going over all of this is nothing that i have in my background prepared me at all for having to be a manager having to hire people having to bring people and build a team I mean I started out as a technical guy worked as a pen tester you know occasionally doing a little bit of audit kind of getting into that realm doing that you'll start out a small consulting firm I was

employee 5 with 35 now you know grew up have a team about six seven guys after run manage all the time and you really didn't have any particular knowledge or experience that really gave me a good picture of how to hire people and you know what to do it so that was kind of what the genesis of this talk was well you know it groups like this there are other people here that have gone through the same story we're all technical people for the most part here that's what we do for a living that's what we want to do so when we end up in this position we have to be able to build a

good team and so you know really looked at okay this this is how how I've been hiring you know pretty much in 12 steps it was ok so you know somebody quits or you have to fire somebody fine so I have a position open okay well then I panic OSH you know I right now dust off that job description to HR makes you have you take a look at it go up yeah sure whatever yo we posted online will find though monster dice calm that's a great place let's put it there then we look at some resumes and we pick about three that don't suck terribly you know we go in we get interview and we ask them okay what are

your strengths and your weaknesses can you can you can you tell me you know what makes you a unique snowflake you know um I don't we just sort of higher one of them to say yet you're you'll work and then like in three months you just regret the hell out of it you know like damage and so then you like spend the next three months trying to like internally justify why you need to fire this guy and then you know you fire them and then whoops I got a panic again start over the cycle so you know you really come to the conclusion that you know if the best way that you will ever deal with a bad employees just to not

hire them like let's just you know cut this cycle out let's actually hire somebody that we really need that can really contribute to our organization and get to get the right person in to begin with instead of wasting our time with okay going through and trying to go through this cycle so yeah how do we do that well of course every you know every manager is gonna have a different idea or different way of doing it but I wanted to kind of put together okay here are the here are the ways that i found that actually work this is this is what this is what's good so the first thing you really need to think about what are

you actually looking for what is the job you actually need this person to do you know your job description is mostly worthless i mean something is written by HR to come sort of try to cover everything you know everything I mean you've got a job description your kind of required to have it but you really need to think okay what is this person really going to be doing if you know and so and be specific you know if there's somebody who's going to be working on your you know Palo Alto firewalls all day or your fournette firewalls or whatever if that's going to be their job then you might want to actually think about can they do this job that you're

going to be hiring them for if you need a pen tester then they better be able to do pentest off if the you know you really got to be specific about what you having him do and this is yeah you know and you also got to think what are what are the things that are important to me in my team what makes us tick what makes us operate what makes us run and so you're gonna have things like okay how much experience is is this somebody that I'm willing to you know pay pay a little bit less for but I'm willing to train them up and spend some extra time with and get them going Yoda

gonna fit with our culture I mean they actually care about security or they just kind of you know IT guy who's like I want to try that security stuff you know do they have soft skills so they actually they have the right technical ability you know we have to actually think about what's important for us to be able to build the right employees and build the right team for what we're trying to do so the first thing that I found that's just incredibly powerful when you're doing this kind of thing build a bench you know actually think about things that you know your online job postings are rarely going to get you the people that you actually want you're

gonna have to filter through so much work you have to do it to go through ton of resumes go through a ton of things sometimes these things actually work but when you actually get right down to it you say okay you know just the end of this mode of continuously recruiting I'm you meet somebody who you think would be a perfect fit for your team you meet him at a conference you go out and visit a college you know I uh a couple of universities around Spokane they they're always you know happy to have speakers or anything come in you just come in and talk about info stack talk about crazy things that you've seen while pen

testing and you know and then afterwards you have a couple a couple of kids are really excited about it come up to you and they're like hey you know I want to know more about this I want to you know get more involved in what's going on I want to understand her oh yeah I was doing this one thing and you know you actually get people who are passionate interesting about what's interesting what's going on yeah we've also tried other things you know like giving a bounty to employees like yet there's no recommendation like the recommendation of a current employee somebody's already in the team who already knows how you tick how you operate they can think you

know I know this guy who's going to be perfect to be in here we actually just basically set it up that you know if we've got some if you recommend somebody for a job and they stick around you know for six months they become a valuable part of the team will give you a thousand bucks just you know throw it down so and you know we found a couple of good employees by and you think's heusen bucks that's a lot of money think about this at online recruiting service that's like 10,000 20,000 dollars to get somebody that's in there thousand bucks to an employee ID much rather give an employee a thousand bucks then you know give you know give

some online recruiter that kind of money you know you can really put together a really good bench of employees the other gets great is you can actually know what your what these people skills are you know there's couple people you know that are out there that have targeted if you'll thought about you know this this person be a great fit for the team I don't have a position open for them right now but you know I know that okay you know at some point if I need somebody who can do you know like you're like auditing and that sort of thing I've got somebody right on the bench that I can say I know exactly about what

this person know that she would fit immediately with this you know our organization our culture what we've got going on no the skill set know everything know even the salary requirements know everything it's like on the bench it's a no-brainer you know what you've got right there so it's easy the one thing of course that I found is that y'all run the just the one division of the company there's a security stuff I ended up having you know my bench ended up being so good that my mic bench keeps getting poached by other people in the company it's like no man I found that guy what do you do and you can't take in but you know at least you're

getting the other thing the other good people into the company so but the other thing really got to keep in mind is that your best employees probably already have a job you know there are few know sometimes things happen is you know people lose their job and they're always looking for things but usually you're top notch employees are already be working somewhere else so by actually going out and connecting and networking with people you're going to actually be finding people that that you kind of have in your your employment bench that yeah they already have a job but they might be looking to move they might be able looking to transition out of where they are and come work for you so you

know don't don't put too much into the whole stock of you know the whole idea of doing the online John posting or anything or you know trolling linkedin to try and find somebody it's that you're gonna be spending a lot of time wasting your time doing that um the other thing just to keep in mind when you're looking at people's resumes and you know it is kind of common sense but you know i like to call resumes the internet of job hiring in other words they're mostly [ __ ] you really gotta gotta watch out and look for the red flags looking for what's actually you know going on in people's recipes people love to inflate their you know what what

they're doing i mean you know obviously you know certain things like when people have a typo in the phrase i have a great attention to detail that's probably you know a red flag how it has been done you know if they can't even organize their own resume i mean it's going to be really hard for if you got to put together a pen test report or something else for a client you know are they gonna be able to do that can realize their own damn resume you know it's something to really keep in mind you know the qualifiers these these are my favorites this is you know i had exposure to linux what the hell does

that mean i mean honestly what does that mean oh you know III shoulder shirt one time when a guy was you know logging into a linux box i had exposure to linux or you know i attended this college well did you graduate what classes did you take what did you do it does it does that that means absolutely nothing to me if you say i attended or you know i assisted with this project would you do go get the guy coffee I mean you know did you actually did you work on a firewall that you do that though you know you know you were around to go get the sandwiches at lunch I assisted with

that project damn it you know I mean you got it you know what people use qualifiers I always just sort of mark that in the resume and when if I if I do actually if they do make it to like an interview around or something i'm gonna call them out on that I might ask him what what exactly did you do I mean come on yeah the other thing is you know certain level of professionalism you know if somebody has the email address brownie for life @ hotmail.com on their business resume you know maybe there's a certain question of tact or you know what about they would actually have the professionalism to be able to do the job

if that's what they're putting on their resume you know maybe you want to think about that the other one that's that everyone let's talk about is like the strange gaps in employment you know if you know it's all cool many people lose their job to go off and do something else for a while it's not really relevant to the job history that's fine but you know it's it's definitely worth asking you know if somebody has a four-year gap aamir they just trying to hide something you're trying to hide it y'all work for this guy and you know I got fired because I was terrible employee and all I don't want you to talk to him you know it's

it's usually a good idea to cut a key in on those strange gaps and just to say okay what's going on if you actually are talking to them this is the other thing to really think about when you're when you're looking at going through the hiring process sometimes the best employee is not the best candidate so you've got the the guy who comes in with a pristine resume all polished you know has all the great the perfect answers for every single standard interview questions probably because he's been through about 50 interviews and jumps jobs every two years and does a lot of other things you know the the it's ok for your candidates to not be perfect

but you know you want to actually think about you know you don't want actually have a somebody who's just the pristine the pristine candidate they're not exactly they might not be the guy that you're actually after so few other things I like to do as you're going through the hiring process trying to find people you know I relate to pre-screen you know let's let Lee here you go through you find some resumes and some things that people actually want to talk to you it's not a bad idea to actually just do a sanity check on the resume you know filter out somebody because let's face it interviewing is a pain in ass okay you know it is it is a

it takes a lot of time it takes a lot of energy you know you basically have to block out half a day and you know for all of us who are really busy have a lot of project going on that's a huge time investment the last thing you want to do is have an interview with somebody which an absolute waste of your time it's like okay I just took that half hour hour flushed it down the toilet I'm just not getting that back and you know if I've got other projects have to take care of probably going to be end up doing those at night and to hear about it for my wife and it's not going to be fun and

you know I don't wanna get into that so why not just filter some people out um you know one of the things I love to do is that the written pre-screen you know it's really easy you could you could just throw together something on just survey monkey or something and email it out to somebody just test their writing ability and their ability to interact with clients or send an email or do something like that I mean you can you know tell them hey I've got this email from a client who's completely pissed off you know just tell them this is the email you just received from a client you know how do you handle this and just see if their

writing skills are even up to it see if they can actually handle you know being able to diplomatically calm down some sort of client that's really ticked off at you are dealing with somebody like that the other thing just just to uh make things really simple let me just tell them okay just describe for me the list of steps you take to investigate a malware infection or you'll heck you can even take it down even to the you know bat bottom level how write out a list of steps to troubleshoot a printer that won't print I mean let's let's go all the way back to just I t101 you're not really looking for the answer of how

they do it you're looking for how can they organize a list and actually put things together they have decent writing skills or they get it is gonna be filled with typos gonna look like crap you you know having decent writing skills is almost mandatory for what you're what you're wanting to do so you want to make sure that you can filter that kind of thing out the other thing quick easy way to do it just do a phone pre-screen you know just see what they sound like on the phone if they sound like a complete idiot on the phone and you know they're probably not going to be a good fit and you can save yourself a lot of time with

a five minute phone call that you would have otherwise had to waste a bunch of time on yeah you know I mean you can and this is actually a decent spot because you're not really after you know a big you know you're not you're not actually after real kind of interview questions if your HR wants you to ask all the classic interview questions you know that I mean pre-screen not a bad time to do it just get those out of the way and just say because really all you want to do is you just want to hear what they sound like how they organize the thought if they can actually communicate with you at all if they can't you can just

kind of get them out there is another good thing to do is to notify them have any bookkeeping you know you filter out some people you know notify them okay if you have to do a background check drug check anything like that you'll credit check anything that you're required to do is part of the job it's a good idea to notify them then so in case you know oh yeah I've got two felonies and if I get a third strike I go to prison for my life well okay well maybe we can just end this right here let's let's move on the other thing this one's kind of you can find it if you look at hiring advice

you look at hiring blog books whatever you find this advice absolutely go both directions completely you either find those that say you should get salary requirements out of the way first immediate he just get it over with and find out what's going on it people are like you really shouldn't talk about that too later III actually fall in the former camp I'd like to know really what I'm up against cuz you know I have a candidate that comes in absolutely perfect and if he wants you know like twice what I have in my budget to be able to pay him I'd rather know now let's just not waste I don't wanna waste his time either

because clearly if he's a really a candidate you know he's his times valuable I don't waste his time I don't know he's my time you know let's let's go ahead and just forget about that right now and get it out of the way so I like to just go ahead me on the phone pre-screen you know just kind of say you what are you what are you looking for just so that we could actually kind of get it out of the way you'll thing to keep in mind though is that you know this really doesn't have to be formal I mean you can you know if I have a you know a kid that sort of emails me up

after a talk I go out to a college emails be up i'm interested in the job you know i can just write a couple e-mails back and forth with them and i can already tell decent amount of other writing skills just threw that I mean it doesn't have to be this big formalized process you know if you want to be it can be great but doesn't have to be you can also just pick up the phone and hey you know what's going on this is actually my absolute favorite thing to do and I found it just works fantastic just just just a happy hour just set up a little event doesn't even have to matters the happy hour wine tasting beer

tasting sporty a bit whatever just you know anyone that you're considering hiring that you kind of have on that bench you in the back of your mind I'd like to hire this guy someday just check them an invite get them out there you again be the amount of money that you're going to spend on doing something like this is a fraction of what you're gonna pay for an online recruiter and you know what the recruiters you never know who you're going to get if I going to fit your culture if they're actually gonna fit anything you want it works great not to mention the fact that you could actually you know how to see how they

interact with your team you'll bring some your other guys down there have them hang out talk have a couple beers with each other or just you know see how they interact I mean you know you might find that you know they're more interested in sitting there the whole time and kissing your but instead of actually you know learning about the the rest of your team he out there well it's something it's you know full flag you might have in your mind of okay that's how they're going to act and that the biggest reason i like to do this honestly is that you know this is my role of that yo if I can't stand to sit

down at a table and have a beer with a guy for a half hour I damn sure don't want iron you high I I let's let's just be completely honest here you know the you know and it's the big thing you know let's keep in mind that everything that I have listed so far in this talk is something you could do before you ever even consider stepping in an interview room like you you know when you actually think about you if you apply all these rules you actually think about what you know I've gone over here and we've talked about you filtered out a hell of a lot of people from you know your candidate pool you actually don't have

to worry about you a lot of people who just might not work out or you might not fit your culture might not fit what you're trying to do you know and we haven't even bothered to start interviewing yet so from there you know I and that's a thing like I actually feel like I've got a really good team now they work together well they do everything you know and and and the thing is is that all the key players on it are people that i vetted before I hired that I had a pretty good idea even before they came in that you know that they were going to be the top candidate before we even got in there because they

you know they already fit so I really encourage you to actually think about that if you're in a position we have to hire the other thing here is so what actually comes to doing the actual interview itself you really want to choose your questions and choose them well you know your interview should be short you're really going to know a lot of what you need to know fairly quickly I you know particularly for a first interview you know it's the best thing to do is again kind of going back to the very beginning list what's important to you go through and hammer out okay these are the things I absolutely need for the job you know and you know every question

I mean don't waste your time putting in throwaway questions put in you know things they're actually identify these critical things so like you know in my case usually what I you know try and do is hammer out you know okay you know about fifty percent of the interview I'm going to have you know sort of technical questions because it's generally technical role they'll be hiring for and you know what their technical skill set is where they are what's going on you know the must-haves you just you know you have one or two questions there absolutely must have like these these are things I need to get a good answer out of this question flag those things

some other things that nice to have you'll want it to overall though I mean eight 10 questions and you should know what you need to know if you'll want to do more than that you know or after you've gone through this initial screening you might have two three guys that are left that are hey these guys are all pretty good acne do you always bring back for a second interview but that way you're not actually wasting your time with you know going through a big long laundry list of questions within the interview to go through so this is my particular list I want people with some sort of technical ability I mean obviously they've got to

have some sort of skills that they have to at least a baseline even if they're green and I'm going to train them still want them to actually be able to handle the basics of the job actually have some sort of level of competency when they're walking in the door you'll for a more senior position then obviously I need you know people who are a lot more skilled the the other thing I mean honestly I want people that are passionate about InfoSec I I don't really have you know I I personally think that if you're an infosec it can be thankless enough as it is you're gonna get stuck in long hours I mean you're gonna you know mean you're out on

some pen test so I want the guy who's like so eager to solve the puzzle that he's not afraid to be working it you know one thirty in the morning trying to bang away I almost have it almost have it when I get it you know that I mean you gotta have that God is really interested really excited about you know solving the puzzle or you know if there's a you know if you're on more of the blue team side somebody that's actually looking through the you know the data and they Mesa khalif eynde something and you know the type of employee that you have to tell them you know god damn it go home you know you've

been here long enough I mean that's the kind of employee that you want to have on your team something's actually enthusiastic about what they're doing they're really excited they're always out reading blogs you know checking out Twitter finding out new things that are going on like I want people on my team that I'm finding out stuff from that I'm like holy crap this is awesome Neil good fine and that's that's what I want obviously need some level of ethics about you know what you're doing I mean it you know that's that's that's it really is kind of a tough thing but you don't you know you can't really have somebody if you're if you're going off

and doing pen tests on banks everything you don't have to have the only have somebody you're worried about you know you stay awake at night saying okay what were they actually doing you know in there I mean am I going to find out later that they were put in black doors I mean I have to worry about my you know I'm actually have to invoke that professional liability insurance that you know we keep I don't really want ever have to deal with that fit with a culture I mean honestly you know when you have a good team that's working like a well-oiled machine and people are getting along nothing can ruin at worse than somebody who just doesn't fit at

all and I mean they don't have to be the perfect fit i mean people are all different you don't want a bunch of clones that all think the same way but if you got guys that are just totally totally off the deep end that are just completely not gonna not going to fit with your culture at all you know it's probably best Lee they find work somewhere else and you can you know put together a you can put together a great team that actually works together communicates well if they're all sort of on the same page it really it's going to help the way things go and then obviously the the last one that I have

to have is somebody bit as good communication good soft skills you know at this point you know I don't have anyone that I can you know Barry in the basement and just you know never let the client see this guy and everything you got to have somebody that's that's gonna be actually out there and able to be in front of the clients like any time you have a client you want you want to be able to stick them out in front of them and not have to worry about a god am I going to get a call am I gonna get a call you know you want some buddies good so when actually comes time for the

interview I I have found that a lot of people that sometimes when you know when people are hiring you know they just want to have just one person I think it's always better to have at least multiple opinions in there but don't don't go crazy I mean this isn't you know we don't need to you know be the meeting of the Joint Chiefs or you know whatever we don't need to have 20 people in the room everyone giving their opinion because everything just cloud gets clouded up just you know pick maybe one person that you really trust I mean I'm usually in the room with I actually usually interview with our HR manager who's completely non technical at all

and it actually kind of gets me it can give me a good perspective because that's one of the things I always love to do in the soft skills how to interview is okay what you just explained explain it to her ok now lets you know yeah okay you're really smart I believe you you're correct and what you're doing but she can understand a word you said so you'll you know you explain it to my HR person you know the other thing that I always tell people is that you know I went when I first started started doing i.t I was working for a city job there was that like City rules of you know if you ask any interviewer you know

if you ask an interviewee these five questions you have to ask every single interview we've these exact five questions okay you know thankfully I'm not doing that anymore you know so I kind of have a little bit of leeway actually ask a lot of other questions and do what I want to do but just don't be afraid to pull the plug if you know if you're five minutes into this thing and you know that this guy isn't going to work I mean you know like i said meaning HR manager we kind of just have that little you know look we can give each other and then we just start skipping questions and let's just okay

let them get out of this interview with a little bit of dignity but let's just get it over with because we've all got too many important things to do and let's not actually waste their time going through the interview at you know and and and going through a bunch of stuff you know it's not waste their time let's not waste our time if we already know this person is not gonna be a good fit and I mean totally glaringly not a good fit you'll get them out of there another thing that that's great to do is you know if you know if you've got a couple candidates that you like and don't don't leave them hanging you know

if you if there's some sort of delay and making a decision or delay in figuring things out don't be afraid to just say hey yo cinnamon a little email say oh hey thank you for coming in you know we're still working on some stuff I mean you know doing it everyone can remember when you're you've done a job interview you've gone in and you thought it went well but you don't know and then you wait week two weeks you're just not hearing it's it's it's aggravating so if you're if it's not going to work out now you can let them know you know but if it is you know if it's under a job interview so if somebody has a major

problem like hygiene if somebody can't shower before they go to a job interview that's a problem if they're totally inappropriate attire that wouldn't make any sense so they show up late you know have bad time management that kind of thing it's not good i actually had one guy that now you know that's nice and all but what does that kind of tell me about you that you're already out your you know just complaining and moaning about all this other stuff i mean what happens the first time things get a little tough around here you're going to run around telling everyone how much we stock is that what's happen here what's going on it just struck me as a red flag in front of them

and being able to actually you know have them not embarrass you embarrass organization those are things to always keep in mind when you begin the interview thing to keep in mind that this is their first impression of you usually so you want to actually be on your best behavior to I've actually show them hey this is a place that you really do want to work because you don't want to have the perfect candidate come along and yeah they don't want to work with you because you know you're spent the whole interview checking your email on your phone or something dumb like that you want to highlight elements of your culture that makes it makes your place

unique I mean we've got a whole the thing where we every time someone's hired we issue of a nerf gun and they're expected to defend themselves at all times and generally on your first day on the job you get shot to hell I mean that's just part of the culture it's one of those things that happens so if you've got that sort of element your culture highlighted make them understand this is something you actually you know the work group that you want to be a part of you want to clearly highlight and explain the role the person like what are they actually going to be doing you know as a caveat don't actually tell them everything that you're looking for

in an employee people are really smart about that the minute they hear hey I might you might be looking for this they immediately will shift and tell you all about how they're perfect at just that particular thing if you say you know I'm you know looking for a particular particular trait they're going to be talking to you if you say I need somebody who's going to be reliable they'll spend the rest the interview talking about how reliable they are you know you just be careful about that kind of thing and also you know be on time you know they're there times valuable your time is valuable actually think about those kind of things if you're an

employee and you're going into an interview thing about a few other things if the interviews the interviewers late that's probably not a good idea you know if they spend the whole time also talking crap about the person you're replacing oh god I'm so glad you're rid of that guy we want to hire somebody knew it well what are they gonna say about me if they ever get rid of me are they didn't sit there and tell everyone how how crappy I was and what what I did you know I I don't really think that's a very good thing this is the biggest red flag that I can ever say for someone if you're going in for a

job interview if the person who's hiring you can't actually explain to you what you're going to be doing on a day-to-day basis that they don't know what the hell they're doing I don't know if you really want to be part of that company it's yeah they really should have a good vision of what you're going to be doing how you're going to be contributing obviously positions change things change but they should have a good idea of how they're going to be using you you don't want to be just it's a pretty unfulfilled job just sitting in a cubicle waiting for somebody to tell you something to do it's it it sucks you know if you're if they haven't even

looked at your resume before the interview huh you know are they really that invested in this are they actually looking at you I always is a guy who's hiring I always love to take you know take at least a few minutes if you're actually making to the interview take a few minutes actually look over the resume jot down a few questions about it actually asked them things that are important about their resume and actually talking about it um these are your interview classics that everyone loves to talk about HR makes me have them in there sometimes but I think they're generally fairly worthless I mean are you a team player why no i am not a team player i'm a raging dick come

on you know lister strengths and weaknesses and that one I love people's answers with that I you know they list off all their strings and then they manage to list a weakness that somehow makes them miksa to strength you know I just worked too hard I you know I'm so overly devoted to my job I don't know what to do without you come on you know what does that actually tell me about you other than you know you get creative about having to figure out what sort of weaknesses out there where do you see yourself in five years I don't really know you know I need someone to work right now I don't really give a crap

about five years you know I doesn't really help me out so these are the things that I really like to interview about in some of the questions I like to use my one somebody's passionate about infosec I mean this is the first question I generally start out every interview with where do you get your info SEC news from CNN okay I I don't think so tell me at least one interesting story you've heard about in the last week you know and if people get stucked it's like we'll just tell me one interesting story you've heard about they're completely stumped do they keep you know it's like I actually have had a guy would say I was interviewing a guy

and ask him and it was just like three days after the target breach and he couldn't name me one story it's like I don't think you're really that passionate about this whole infosec thing I don't think you're really looking at things figuring things out you know you want answers like you know I very least you I get news from your Twitter or you know somewhere else I mean something that's not like mainstream news if somebody says oh yeah occasionally something pops up on msn the come on you know you're you're interested in infosec you're not passionate about infosec you know another great question it's easy as you ask people you know what is your home

lab look like how do you how do you practice your exploits or how do you practice what you're doing it's it's it's a simple question I mean you know people you want answers like oh you know I've got a old you know ton of old machines and I do this or I y'all got a whole bunch of vulnerable vm that I love to practice on and love to do all these other things you know that's a good answer i mean people who are just like I don't really have one I don't you know that could be kind of a red flag I mean are they really that passionate about if they're actually trying to do there if

they're not actually trying these exploits they don't like hear about via the first thing you know I don't know a lot of rescue the first thing I do and I hear about some crazy acts boy thing I want to do is I might really want to try that that sounds awesome you know that those are the kind of people you want that this is like in the next question you know what's the coolest hacked you've ever encountered I mean that's like I mean he's seriously walk out there find someone at random and ask him that it's like crack cocaine you know it's like oh [ __ ] i heard about this dude was awesome they just you know they

can't shut up about it if you get someone who's actually passionate about it people who don't really care there you know all I don't know you know you can really weed that out and again I love people who are passionate about him plus suck even if their technical skills aren't there I'd rather take someone who just their heart and soul their passions in it they want to learn they want to know about it that's that's the guys it's kind of guys on one of my team ethics questions you know sort of a basic kind of classic one you know tell me about some ethical dilemma you face the pass how you handle it what you

learn from it what would you do differently that's kind of a kind of kind of a standard one I generally like to give people like a scenario-based one and this actually happened I'm not making it I was at a client or just kind of doing audit I had a guy tell me that you know IT guys like well I don't think we're secure enough so I I tried to hack my third party web hosting vendor you and I'm by I hacked the [ __ ] out of him I did all this other stuff I'm like okay well that's you know that kind of brings up an awkward dig it's like okay well you know he's great at you know he's

interested in what he's doing and everything like that but I mean think about that for a minute y'all much trouble that you could get in for doing that you know through your own you know from from your business so I'm just going to hack my web hosting kind of thing well what would you do how they handle that I don't know if there is exactly a right answer if you know how to move forward but you know that's definitely an odd scenario of what you would do you know you might want to know that do you fit with our culture you know you know kind of some more of a standard question you know what are the

positive aspects to your current job and work environment what do you like what do you like about your current job have them actually tell you here's the things that I think are really cool about where I work right now as opposed to just having a bad mouth it say this is these are the things I like these are things that work well you know another one you can kind of look at how they work on a team as opposed to saying are you a team player you know you can say things like you know what what what role do you like to play on the team you know what do you usually play tell me about a project

that you did and what one of the projects that you really enjoyed you felt was really successful tell me what what did you do on that project and what role did you play I mean you can kind of get a good idea of well you know I jumped out front I researched this and I did that you know or I found this problem then I went to got help and I figured out this whole thing get the whole story you'll are they just to get it a worker bee and do you need a worker bee that's fine but are they just going to be the the one who's in there doing the wrench turning or they somebody

wants to jump to the front and figure out what's going on it gives you a good insight on as what their team is the final question is a question that I have to ask every single interview and you know if I asked people to tell me if they prefer ninjas pirates or zombies and why and the main reason for this is that I want to know if they actually fit into the culture and you know actually had one person she told me immediately without hesitation none of the above robots I said you're hired that's what I say maybe it's just you know it's a think about it you know are you know just sort of our corporate cultures that

you don't want people actually have a sense of humor that can you take a joke during the middle of an interview you know kind of go forward with that soft skills you know easy one it's kind of a softball but tell me tell me what you know about our company you know did they actually research your company they actually take the time or are they just kind of showing up for another job interview kind of doing their thing kind of like I was saying earlier explain uh you know explain how a man-in-the-middle attacks to my HR Director you know how exactly does that work you know can they can they actually break a complicated technical attack down of some you know

crazy DNS spoofing or crazy art spoofing doing something crazy i can actually break that down tool a you know a level that something with very little technical knowledge can actually understand you know an easy one that can tell you a lot about how a person thinks it's just what do you think it takes to effectively manage an organization's information security do they have big picture I me are they gonna actually what were they going to say I mean people who you know start talking about you know antivirus and in point I call us other stuff well okay then they really have a you know a very ground level knowledge of what's going on if they actually started talking about

architecture and you know devices and everything you might get a very technical response some people might start talking about you know you need policy social engineering training everything they start thinking at a high level some people might actually go to the whole thing gives you a good idea of where their brains out and where they work I like that one technical questions and this is the part that they should just hit out of the ballpark if they yeah these are the things they actually should do I love to test people's breadth of knowledge you know you get a good idea of where their limitations are I don't ever be afraid to make these questions hard just grill them go

through the whole list of questions things that are actually really difficult really hard the best employees are always going to like to be challenged if you're not giving them you know hard questions yeah you know you don't want to just toss out easy things to them you want to say you want to know and even if you get to a question that they don't know the answer to that they'd be a real benefit because you get them thinking through their mind you'd understand how they think and how they react when they're confronted with something that they don't know about say if they actually are going to work through the problem think about other just gonna bail and I don't know I'm

sorry you know how are they going to handle that that have a situation some easy ones you can throw out their prescribing technical detail how about networks you know if somebody it says that they're passionate about it for a second comes in but they can't just tell you at least on some basic level how a botnet works yeah that's probably a probably a warning sign that this is not somebody you want to have any organization yeah easy you know what's different city encoding encryption and hashing that's that's an easy one another thing I love to do is throw it up packet capture just take a wire shark packet capture of something and just drop it in front of them tell me what do

you see it's funny the kind of things that you'll you'll see like yeah I have one that I've used in interviews in the past it was just the packet capture of i started Wireshark i opened my web browser and went to espn.com and then stop Wireshark that was it and then stick in front of them and i have heard that craziest freaking stories about what people are like I had one guy tell me this is clearly a denial of service attack really I just you know it's it's interesting how people when they don't know they tend to try to make up something it's like no this is pretty pretty straightforward what's going on here just some other samples maybe get a

little harder you know tell me examples of what a blind sequel injection attack were looks like you know it's that's a good one you'll list all the ways you can think of the prevent malware from executing on a min point you know are they just going to go to AV and more AV and more Avior they actually gonna start thinking about some other ways that you might prevent malware on an endpoint another question you know you know describe public key cryptography and give examples of how it would be used to produce your confidentiality and integrity you don't make it make it a question a little bit you know that should be something that someone should

be able to answer you know tell them you know if you actually want to go get hard and you want to ask him something that maybe they might not know the answer to it's a you explain the difference in a buffer overflow and heaps pray you know what's the difference compliant compare it to me you know if they know it great and they're you know really passionate about it let's actually know what's going on in hot exploits work they're down and dirty into that if they don't know that's fine but at least you've determined okay here's the baseline here's the end of their knowledge if it actually comes down to doing a second interview we're

actually coming down to that never forget that a demo is actually worth a thousand interview questions if you can actually get them to show you what they know it's way better because people could be s their way through a question you know they can they can convince you that they know something but if they don't actually know something they're not going to really be able to demo it for you so for like a penetration tester simple as simple I you know I've done this before I give people like and just an in maps can of a network just you know you can even print it out on a piece of paper hand it to them say okay

well here's here's an nmap scan you know there's about 10 hosts in there just draw me that network on the board on the whiteboard yet oh uh the other thing you could do is just give them a give them a info gathering target and tell them okay well you got ten minutes get as much information about this person as possible and tell me how you would spear fish this guy you know that's that could be a good one you know the other thing you can do is it just just have a lab in there and have them plugin just a here's you know here's a kali linux you know install just see what all you can own

you know give them half hour hour see what they can do you know there's nothing wrong with doing that there's nothing it says that you know an interview just has to be a bunch of questions there's no reason that took of that cereal security analysts actually have them Parsa packet capture and go through some log files you'll give them a list of events and have them categorized it by wrist like and actually have them justify why is this more dangerous than this you know there's no reason why you can't have them do that you know you know you can even have them look at a look at the sim and say okay where are the interesting

events what's what's the crazy things that are going on what's the things that we should be the most worried about you can always do things like this to have them do that engineer and architect you know maybe having me to work out some firewall rules based on some specifications you know i love i love just asking people open into questions like would you white poured out a secure network for me it's like you know what does that mean well you know you can learn about a lot about a person about how they interpret that question how they actually go through and draw it out the this one almost falls in the category of being mean but you do it

really miss configure something and then see if they can fix it you know that can be something that that can be pretty interesting you know just how people work through a problem how they approach it your demos are great particularly but again never waste a demo hunt and a first interview make sure they actually get to that first one before you waste you because these can take a lot of time and you don't want to actually spend a bunch of time on you know dealing with people going through a demo if if they're not going to be a good candidate when it comes time to any interview you easy easy one is you know you have any questions for us you know

see what see if they've been listening you know good candidates usually have questions they want to know okay well what is it about this place that makes it special what do I you know what are my benefits going to look like and even even if they're you know what whatever the questions are you know you know good candidates usually aren't gonna just be like no okay see you later I mean that's not typically good candidates or ones that actually you know are going to be engaged in the process they're gonna have some questions for you you know leave this as a chance to close I mean you know to use a sales term I mean if

this is somebody that you think hey this guy's got a lot of potential I want this guy in my company you'll highlight the desirable aspects of your company again you know reiterate their expectations give them give them fair expectations about when you're going to be making a decision and try and stick to it if you don't stick to it follow up with a lemon L what's going on i mean this is this is your chance to kind of close it out and actually do it so we've gone through this process you would hired somebody now what this is just sort of just as one little note everyone you know you spend a ton of time hiring someone

finding the right candidate doing everything never forget the day that everyone remembers the most on any job is their first day and their last one so make it a real positive impression of me if no one wants their first day to be there onboarding to be okay I came in and I watched eight hours of training videos and then I went home it's you know all the energy and excitement that they have about having a new job you kind of took a you curbed a lot of that out make sure they can contribute have fun actually have them jump in and actually contribute be like I'm so glad you're here here's a problem that we've

been trying to fix for a while I'm just going to have you jump right into it and see what you can solve you'll here are some ideas get them in with a team getting right interacting with people actually make them feel like they're part of the team on day one I think that's really really important so uh you as a just sort of a final thing to my talk here this is something that you know for for people like me who came out of just a purely technical background now in more of a manager will try to figure this out I mean I'd love to know what I can do more you know for the for

the community for everyone sort of on this topic if you know it's just you know something where we should have like a questions database of you know interview questions that you know we like to go through ways of interviewing ways of talking is there you know other topics that you know about you know management doing these other things that are useful to a technical audience that are that are able to we're actually able to look at and discuss and help us all get better at this particular topic I mean I'd love to hear it you know love to figure out a way that I can continue to contribute and give back and so just sort of close up thank you very much too

besides for having me talk today appreciate the opportunity and you know I welcome any questions that people have loved to talk so yeah how you doing

right right usually you know I would certainly never do that multiple choice I mean you usually want to have some sort of standardized you know at least you'll ask at least the basic same questions to the same ones but you know just because HR wants you to ask you know standard type of questions doesn't necessarily mean you can't ask the specific ones that you want and you know as long as you get through those questions typically if there's ways that you follow up like you I want to I want to follow up on this this answer that somebody gave or did that thing that's perfectly i think that's perfectly fair you know they can you know sometimes it

can get you a little bit a little bit of trouble but if you uh you know you just kind of have to you know we're all hackers figure out how to work within the system to break the system you want I mean that kind of thing sure oh yeah yeah questions well you know as opposed to going to shotgun I would really like kinda like I said go back to what you really think that they're going to need to do the most critical things that they're going to have to do and if you really target those particular things I think that that basically that will give you a really good picture of what they are I you know it is a lot

like dating it really is and that's kind of almost why you know I i love getting them out for a beer first just to be honest with you you know anytime anyone pushes back on budget with that I'm like you know how much money am i saving by not having to get rid of somebody later it's you know a couple beers it's you can afford it yeah go ahead yeah right [Music]

[Music] right yeah well I you know that I i would say that uh just sort of like I I think that that is a battle that's probably best fought before the interviews even start I mean obviously you know too late after the fact but if you can really convince them of okay well here are the things that we actually really really truly need you can actually get that hammered into their head any you know unfortunately sometimes with this kind of thing it's like results if you you know when they get tired of you know tripping over themselves enough times to me I've had I'm actually not kidding I've had other managers of other departments asked me

to do their hiring for them so it's if you can actually get that into that kind of position where you can fight that battle beforehand and really kind present your case well because it's you really do if you can actually hire the right people the first time it's really so much of a cost savings there's there's there's a huge amount of efficiency that you save and you really do save a lot of time oh yeah go ahead [Music] absolutely yeah yeah yeah sure I I love the open ended type of ones I like to actually have the discussion that's kind of why I tend to have try and keep the number of questions at least as much

limited as I can because I want to be able to follow up with people I want to be able to kind of go through and let them do those open any questions because I really any open anyone's do definitely tend to tell people a little bit more about what their what their knowledge is what their thought process is then if you just ask them a really point blank question then you know they're kind of get either you know you never want to answer I mean the worst thing you can ever do an interview is asking yes or no question you know it's that you're not gonna learn anything about it so oh yeah you got one more yeah yeah well I mean

you know as a start-up I end up getting a lot of you know I I tend to bring on a lot of people that are relatively green and then train them up and get them to where I want to go I mean it's usually the the philosophy I've used so I've actually found the colleges or phenomenal i've gotten you know one of the one of the universities i'm at their you know that i went to i want to eat uh believe in and you know every year go out and talk to the security class every single year and they you know just always end up grabbing the best and brightest out of the program trying to bring them in and

grow the program that way isn't in a way that I've done it a lot so much though they were going to cancel a program for a year and I said no let me teach it they said okay so I don't know what I'm getting into but next year I got to teach okay so we'll see what happens there um but yeah that's that's the one that I've had the most success with any sort of networking or anything where you can actually meet people in and interact with them socially i think is the one that is always going to pay the most dividends because then you again before they even step in the interview room you

know you know a good deal about the person you can actually vetted them out a decent amount so all right I'm oh yeah one more and then I'm getting the yeah

you know that's a good question usually kind of that a lot of times the perspective of sort of assumed knowledge like even when I think that people are dumbing things down sometimes they really aren't you know that they're actually sort of that whole idea of and particularly for you know a lot of our we have we have a kind of clients that are you're just we deal with small like 11 room kind of spots and the only deal with some of them that are pretty small and have to help them with security assessment being able to actually explain it in layman's terms is something that really gets critical for us and even as you go up into a bigger

organizations okay well I've got a presentation of the board of directors ok can I actually explain this well enough and sometimes I actually found that even for me man you know I really wasn't explaining that as well as I thought I was you know until you actually get somebody's really non-technical in the room you can get a good filter on how that actually works and if they're actually hearing things properly does that kind of make sense there yeah awesome so all right well that's all I got so you know i'm on twitter at the Liz Nia my email addresses are up there feel free to pick me if any of you guys have any questions

or you want to talk further always happy to chat with you guys so thank you very much they appreciate it you